formbook | f8be5adbd627ccaf7b9377cb184dc5301246e872b16d0e5a87ead6db52b4c61c

General

Target

e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe
Size

841KB
MD5

e0481d215eb5a6d8eaab639888c87851
SHA1

7509d007466cfeff5e935b28ea6fdd894b646035
SHA256

f8be5adbd627ccaf7b9377cb184dc5301246e872b16d0e5a87ead6db52b4c61c
SHA512

7a85bfa9ab45ceacf6b8dc4155ce2b861b3d7e01c91bb1c2d9e821e5801040748624eb0c2b92975bf0eb15a16119e127108570546935861961c38446bca1ccda
SSDEEP

6144:00cgUiX4ifPM1715kQRm1DKLmpv1w0IU8GB92gkk9/EhSWH3neVErgYy0yZKuPE/:vUwMLWEMGaYI9Bk/gou6MYGZHwXgcsc

Score

10^/10

formbook da7 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

da7

Decoy

mtqyc.com

www41116677.com

accessorydwellingarchitect.com

ebizlite.net

ijetsglobal.com

rigrout.info

saritagoldie.com

ambrb.net

surebuthow.com

hayvay.net

tru.store

kfastt.com

tisonbuildingsolutions.com

hotel-mayadelmar.com

josestories.com

jlwriters.com

fertilitypatientleads.net

mobilespraytanlasvegas.com

stlm1688.net

sejingmovie121.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1704-23-0x0000000002390000-0x00000000023BA000-memory.dmp	formbook
behavioral1/memory/2712-33-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJmdcQ.url	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 2712 set thread context of 1284	2712	vbc.exe	21
PID 2860 set thread context of 1284	2860	help.exe	21

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe
1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe
2712	vbc.exe
2712	vbc.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe
2860	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2712	vbc.exe
2712	vbc.exe
2712	vbc.exe
2860	help.exe
2860	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe
Token: SeDebugPrivilege	2712	vbc.exe
Token: SeDebugPrivilege	2860	help.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2524	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2524	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2524	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	30
PID 1704 wrote to memory of 2524	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2372	2524	csc.exe	32
PID 2524 wrote to memory of 2372	2524	csc.exe	32
PID 2524 wrote to memory of 2372	2524	csc.exe	32
PID 2524 wrote to memory of 2372	2524	csc.exe	32
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1704 wrote to memory of 2712	1704	e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe	33
PID 1284 wrote to memory of 2860	1284	Explorer.EXE	34
PID 1284 wrote to memory of 2860	1284	Explorer.EXE	34
PID 1284 wrote to memory of 2860	1284	Explorer.EXE	34
PID 1284 wrote to memory of 2860	1284	Explorer.EXE	34
PID 2860 wrote to memory of 2836	2860	help.exe	35
PID 2860 wrote to memory of 2836	2860	help.exe	35
PID 2860 wrote to memory of 2836	2860	help.exe	35
PID 2860 wrote to memory of 2836	2860	help.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e0481d215eb5a6d8eaab639888c87851_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xfor0t45\xfor0t45.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB73.tmp" "c:\Users\Admin\AppData\Local\Temp\xfor0t45\CSC3D579902FD314EEE8B503C84D4C79FA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBB73.tmp

Filesize
1KB

MD5
2a87cc695c6995dbc1df380234a76f5e

SHA1
659b87219d8cffdd919b42e0bce4b9398495e26a

SHA256
1b83de3c96fcfdf9a24f9119773a7d7e6aa67d8a034d1d19211a5e7315b48117

SHA512
fe5d902720911389035bc3d81252efa5d57b41552fce4742bd1520ff46b27f46a7df98c3627338f2033ee9a29807a4defa6431ee4c5e607ef842ad6ce0fd5ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfor0t45\xfor0t45.dll

Filesize
15KB

MD5
5c1e93c0a0da271de897cefe3b4944f8

SHA1
678e1528be9ebe7249f0804e47657b16a4e1ddc9

SHA256
1ea24382c959a499faf0421d72036839b5e6c0137072327d5f3edcfd9cc6a76a

SHA512
c32063b37e41b4686ab19a36310881e071e2a032726b53c3553717e60f245870a219e10684192bbacba5a31f45feb306f644cad61facfcd6ad3b2fecf33a10e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfor0t45\xfor0t45.pdb

Filesize
51KB

MD5
6cd10911a7226ba2a1e56e05ba96ef33

SHA1
5f2fcf52818a77b3b7bf7afb6ad6a423f0a47628

SHA256
e605efdcf96d1fe6b2e353102a76c35526d1ea3f5f643ce4241138efd823b798

SHA512
ec9b2bee89a61e45403eb93a57a8fef8d47f5e57c0105174012af59daa5d515d03588a5f620fb65c821246c2f758960f520b5b6c9936e56381d95d8b2fe23a60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJmdcQ.url

Filesize
99B

MD5
0c5ad8ffb381d8fcd612a7cf091d9495

SHA1
cd5fc25909777f02c02e22ee358a2d23a5828108

SHA256
4e4ed363d96f34a712e077c1ab3e69d0bd877da2f1d0a41bff32c03d6af3a997

SHA512
e23faa1d2f473b48da6bacb95d81752cc326d6594c85e82bc5bd7e34026b904c0a4284d25cb8b88415f2867e305b00d1e4a5ef8fc91b0d6421e88b4336c87bb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfor0t45\CSC3D579902FD314EEE8B503C84D4C79FA.TMP

Filesize
1KB

MD5
4c02fd2757df66efbbb758845337d425

SHA1
072901e38b7c3e92a42cd0d3862d0e645dd0b577

SHA256
33597ab3cd1ebf101a68876c1bf32f28c1a98779a3d65dd7aff8dddd94edb77d

SHA512
c2dc5626fb8f214dd9b956ff73f370f47fca2d8dea8de1c6f31adad14342ba2b922e52a8febf5fafc29224bed6a42ab9411f6244172f09e4554ffb8b04b7550f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfor0t45\xfor0t45.0.cs

Filesize
28KB

MD5
1aa33af63d999b60f7f7fe21144dc0a7

SHA1
d93b216abbf86bbe7e1b1e95165de55d79d9edf5

SHA256
22cda5af730bef9b72a5d441bea5352efa4e2709d560c8e635375157e56a52c1

SHA512
6739dd7b4275f15a6347c475123bd088048cee9a7f3315d1bbc8435d43dfca709e9dc61a58aecd64a2a4a5e62aee0436461175c20576b7295e17d1f19255966e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xfor0t45\xfor0t45.cmdline

Filesize
312B

MD5
dca511cea4c7e187e1baade1a66c7a51

SHA1
60e8844a7d48d36b5d50b80078ba12acd5b064e7

SHA256
8fff515febe9ad48662780a5fe0bef7f37e6a6d35caa5466a76f1b1950cd0930

SHA512
e386e904830ec34da5aa8f802854c13c06508dc079d5f52a6fa37ff807cfe682604bb39e62bedc7d9078014e450fcdcb0717d50f743b62785c6628dc6b9583e1

Download Submit
memory/1284-34-0x00000000050F0000-0x0000000005220000-memory.dmp

Filesize
1.2MB

Download
memory/1704-19-0x0000000004BC0000-0x0000000004BFA000-memory.dmp

Filesize
232KB

Download
memory/1704-5-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/1704-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1704-20-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/1704-23-0x0000000002390000-0x00000000023BA000-memory.dmp

Filesize
168KB

Download
memory/1704-1-0x0000000000930000-0x0000000000A0A000-memory.dmp

Filesize
872KB

Download
memory/1704-17-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1704-31-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2712-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2712-36-0x0000000000430000-0x0000000000560000-memory.dmp

Filesize
1.2MB

Download
memory/2860-39-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2860-38-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing